Identifying Risks from Cyber Fraud
By Linda Pierce Advocacy Leader, Gallagher Regional Claims | December 30, 2018
Cyber scammers have no reservations about checking into your hotel.
Imagine this scenario: your accounting department receives an email from a vendor revising the payment instructions for an invoice that is due. The email provides information about where the payment should be wired, and your employee wires the payment on time. Days later, the vendor contacts your accounting department and requests the payment. Upon investigation, you learn that your business has been victimized by a fraudulent scam. Not only was the money sent to the fraudster, your business still owes the true vendor the amount it is due.
Now, picture another scenario: an employee receives an email from senior management requesting that a wire transfer be processed so that a large equipment purchase can be completed. The employee dutifully processes the wire transfer to an account with a foreign bank. Later that day, the employee runs into the manager who initiated the request and mentions the transaction was completed. The manager expresses confusion and realizes that the company has been defrauded.
For many businesses, these scenarios are a reality. The Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center, reported in May 2018 that losses from Business Email Compromise (BEC) in 2017 jumped to over $675 million, an 87 percent increase from 2016's losses of $360 million. These figures do not take into consideration those losses that remain unreported.
A BEC is when the security of an organization's legitimate email account is breached, thereby allowing fraudsters to gain an understanding of financial transactions typically processed by the organization and to identify those employees who are essential to the transactions. Fake email accounts are then created to appear to be legitimate. Typically, fake email addresses will differ in subtle ways from legitimate email addresses and will not be discernable to the recipient. For example, email addresses will be off by one similar looking letter, replace "_" with ".", or have a slight difference that is imperceptible at first glance.
Social engineering fraud is the use of deception to induce individuals into divulging confidential information or engaging in detrimental activity, usually with consequences that harm financial interests, security or privacy concerns. A BEC is one type of social engineering fraud. Social engineering is so effective for fraudsters because it takes advantage of the primary tools of employment – computers and email. Employees' use of electronic data and computer-based communication as a way to perform their jobs, coupled with human beings' propensity to trust, combine to form the perfect platform for fraud.
In addition to initiating wire transfers based on fraudulent instructions, social engineering schemes can result in ransomware attacks or phishing scams designed to induce organizations to release private information that can be used in perpetuating other schemes. An example of the latter is a scheme common in the first part of any calendar year: an email is sent to human resources or accounting purporting to be from someone in upper management requesting all W-2 information including employees' names and social security numbers. The information is then used to victimize those individual employees.
Not only do these schemes result in the loss of money and property, they can result in a loss of goodwill with vendors and customers. If a business partner receives a fraudulent email purportedly from your organization, the relationship may become strained and you may be blamed for allowing the scheme to happen. In addition, employees whose personally identifiable information was compromised may bring claims against you, which can be costly to defend. The potential loss from these schemes is significant in terms of the actual loss sustained, lost or damaged business relationships, legal proceedings, and adverse publicity.
Practical Tips to Avoid Being the Victim of Fraud
The frequency of these schemes and the severity of the losses call for effective risk management practices involving all departments and employees in your organization, including the following:
- Management should keep informed of the latest trends by signing up for scam alerts from the Federal Trade Commission at ftc.gov/scams
- Do not rely solely on IT for cyber security. While IT should take every possible step to protect and maintain system security, each and every user needs to be trained and informed about what to do to protect company computers and data. Fraudsters often gain access into systems by inducing employees to open unsafe email attachments or click on internet links or pop-ups.
- Employ verification procedures before wire transfers are initiated. Do not rely on email correspondence with the sender because the email may be fraudulent. Low-tech or no-tech solutions such as face-to-face approval, phone calls, or texts using approval codes that are not retained in the computer system are options. Work with vendors and customers to make sure they are also employing verification measures.
- Be suspicious of instructions to wire transfer funds to accounts in foreign countries. The IC3 report s that Asian banks located in China and Hong Kong remain the primary destination for fraudulent funds. Banks in the United Kingdom, however, are also identified as destination institutions
- Train your employees. Not only is it essential to train accounting personnel on these schemes and procedures to recognize and prevent fraud, human resources personnel need to be aware of the W-2 schemes and how to handle requests for W-2 information.
- All employees need to be aware that introducing data from outside sources affects cyber security. If someone in guest services finds a thumb drive in the hotel lobby, they should not try to open any file contained on it by using a company computer.
Because cyber threats can come from anywhere in the organization, reviewing procedures and training all employees can go a long way to reduce exposure to and risk from cyber fraud. If you are the victim of fraud, involve your banking institution and law enforcement as soon as possible.
Cyber insurance is an important coverage for every organization to consider, and cyber policies typically contain various coverage parts to address different exposures. One aspect of the coverage is to help the insured organization get up and running following a ransomware attack or other cyber breach.
Insurers typically provide insureds access to breach coaches, forensic consultants, and law firms as the situation warrants. Cyber policies also provide assistance with required notifications to individuals whose personally identifiable information has been compromised. Additionally, most Cyber insurance policies provide coverage for claims brought against an insured for specified liability exposures arising out of a breach event. Less common, Cyber insurers may offer some form of coverage for a social engineering loss. Coverage typically includes defense costs and loss.
Cyber coverage is not issued on a standardized policy form; the terms, conditions, and exclusions vary broadly from insurer to insurer. In addition to the scope and terms of the coverage, organizations should work with their insurance brokers to review limits of liability.
Commercial Crime coverage is another potential avenue for assistance with a loss from a social engineering scheme. While Commercial Crime policies tend to be more standardized, carriers may offer some coverage extension specifically for loss arising from a social engineering fraud. These policies also vary in scope and have been the subject of recent court decisions in different jurisdictions reaching different results. Hotel executives should review their Commercial Crime coverage and discuss any questions with their insurance brokers.
Finally, Employment Practices Liability Insurance (EPLI) may provide some assistance for claims by employees whose privacy was actually or allegedly violated in connection with a W-2 fraud. EPLI typically provides coverage for defense costs and loss (both defined terms in the policies) for claims by current or former employees alleging wrongful acts. While policy definitions are insurer-specific, privacy torts are commonly included in the insuring agreement.
In getting the most benefits out of your insurance coverage, it is important to review how and when to report losses. Cyber Insurance, Commercial Crime and EPLI frequently require prompt reporting of matters either upon discovery or upon notice of a "claim" as defined by the applicable policy. In addition, Cyber Insurance carriers often require the use of insurer-appointed vendors, including forensic firms, breach coaches, law firms and notification vendors. Involving your IT department early on to make sure only approved vendors are used is essential to maximizing coverage. EPLI insurers often require the use of insurer-appointed defense counsel depending upon the policy type.
Although Benjamin Franklin was credited with discovering electricity and recognized as a visionary and futurist, it is unlikely that he could have foreseen electricity's impact on society and or how it would enable the great technological innovations of our time. In turn, these transformational advancements have also led to criminal innovation in the form of cyber fraud. Franklin was oft quoted espousing the view that an ounce of prevention is worth a pound of cure. This axiomatic observation could not be truer when it comes to preparing for cyber fraud.
Employee training and awareness is essential to protecting your business from loss. As hackers and thieves become more sophisticated and creative, recognition and diligence are essential for prevention. While insurance may be available, the intangible loss of morale and reputation cannot be insured even if there is coverage for the loss itself.
HotelExecutive.com retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.com.